How to Implement the Risk Inquiry Service

The Risk Inquiry Service (RIS) joins device data provided from the data collector process with the customer order data sent from the merchant. Once the device data and the order data are combined, RIS evaluates and scores each transaction. After the evaluation, RIS returns a response string back to the merchant to be used by the merchant to approve, decline, or hold the order for review. Each transaction continues to be evaluated and dynamically scored for up to fourteen days. The following section describes how to implement the RIS.


RIS process

  1. Customer initiates purchase.
  2. Merchant initiates RIS request to Kount via HTTPS URL encoded post.
  3. Kount evaluates transaction.
  4. Kount returns evaluation response to merchant.
  5. Notification is displayed to customer.

Risk Inquiry Service Payment Types

Kount supports multiple payment types and depending upon the payment type chosen by the customer certain payment tokens are required. If the PayPal Payer ID or Google Checkout Account ID is not sent in the inquiry mode, then it must be sent in the update mode related to the transaction otherwise the order details will not be displayed in the Agent Web Console (AWC).

Kount can add arbitrary payment types rapidly to support an international market. To view the current list of supported payment types, go to Application Programming Interface (API) Endpoint.

Kount allows a great deal of control over fraud management through a variety of methods including the risk score, rules to determine risk thresholds, VIP lists, and many others that are administered through the AWC. Kount also provides the ability for interaction for some functions without the need of the AWC by utilizing the Event Notification System (ENS) and the API.

Specification guides for the ENS and API can be requested from your account manager or accessed in the API endpoints list.

RIS Encryption Types

When using the Kount SDK all credit card information, by default, uses the KHASH encryption method where the credit card information is irreversibly hashed prior to transmission from the merchant to Kount.
When using the JAVA or .NET SDKs (due to the compiled nature of the languages) KHASH is the only option for payment encryption. JAVA or .NET environments must use a direct post (outside of the SDK) method if MASK encryption is chosen.

If not using the SDK the following encryption options are available.


Kount proprietary hash used to hash the credit card number before passing it to Kount. The hashing algorithm source code can be found in each one of the SDKs or can be requested from Kount.


Output - BIN + 14 alphanumeric characters

Example: 123456A12C34E56G7DFG


Ability to pass the first six and last four numbers of a credit card filled in with XXXs. PENC=MASK is only valid with PTYP=CARD


Output BIN + 10 capital “X” characters + Last 4 of credit card

Example: 123456XXXXXXXXXX7890

Note: The “X” characters must all be capital “X”. The above example value is just for purposes of illustration. The PTOK should be the same length as the original card number. You can use the card number with the first 6 and last 4 numerals present and the rest of the numbers in the card masked by “X”, but the number of characters must be the same as those of the actual card number.

Risk Inquiry Service Requirements

RIS data posted to Kount must be URL encoded and submitted as key-value pairs. Much of the work can be simplified by utilizing a Kount provided SDK, including URL encoding. Kount provides a SDK for Java, .NET, PHP, Perl, and Mobile environments.

Recommendations regarding each development environment and their supported versions, configuration, logging, and paths are found in the README file located in the docs directory in each respective SDK.

Please read the documentation associated with each SDK.

  1. Port 443 must be available to post and receive data from Kount.
  2. API Keys are used to authenticate the RIS HTTPS submission to Kount – similar to a password. A single API Key will be used for RIS submissions, the key is not subject to expiration date and does not require re-issuance. To generate an API Key, navigate to the ADMIN tab and then API Keys. Refer to How to Authenticate the Risk Inquiry Service for additional information.
    Note: API Keys can only be used with Kount version 0630 and newer.
  3. SSL support is required for the RIS process. TLS version 1.2 is currently supported.
  4. The session identifier created during the data collector process must be passed as the session identifier for the RIS transaction. This identifier must be unique for at least 30 days. If a single Session ID were to be used on multiple transactions, those transactions would link together and erroneously affect the persona information in the risk score.
  5. RIS posts are limited to a total of 40,960 characters or bytes.
  6. To utilize the various SDKs, several required static settings must be configured. Please refer to the README files included in each of the SDKs.
    • PHP settings.ini
    • .NET App.config
    • Python
    • Java All settings are included in inquiry

Required Static Settings Found in the SDK





Merchant ID


Six-digit identifier issued by Kount.




HTTPS URL path to the company’s servers provided in boarding documentation from Kount.



Specifies which logger to use: SIMPLE or NOP.




If SIMPLE logging is enabled, it lists logging levels in order of decreasing severity: FATAL, ERROR, WARN, INFO, DEBUG




Name of the log file for SIMPLE logging




Path to where log file will be written. (Must be a valid path)




API Key value copied from clipboard – originating from API Key page within the AWC

Alphanumeric hashed value provided by Kount

Client Certificate (deprecated field for legacy certificates)


Depending on the SDK environment certain client certificate information will be required.


Was this article helpful?
0 out of 0 found this helpful